From 7c58727dff359b0790b6152f6ecf69ac8ace6946 Mon Sep 17 00:00:00 2001 From: "Ye Yint @ Rolan" Date: Mon, 16 Apr 2018 16:19:46 +0800 Subject: [PATCH] updated link for Mitre April update --- Windows/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Windows/README.md b/Windows/README.md index 1f0fb2a6..6bea794c 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -2,22 +2,22 @@ | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control| |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| Drive-by Compromise | CMSTP | [Accessibility Features](Persistence/Accessibility_Features.md)(Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | +| Drive-by Compromise | CMSTP | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | Exploit Public-Facing Application | Command-Line Interface | AppCert DLLs | [Accessibility Features](Persistence/Accessibility_Features.md) | [BITS Jobs](Execution/Bitsadmin.md) | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | Hardware Additions | Control Panel Items | [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Binary Padding | Credential Dumping | Browser Bookmark Discovery | Exploitation of Remote Services | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy| | Replication Through Removable Media | [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md) | Application Shimming | [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | File and Directory Discovery | [Logon Scripts](Persistence/Logon_Scripts.md) | [Data Staged](Collection/Data_Staged.md) | Data Transfer Size Limits | Custom Command and Control Protocol | -| Spearphishing Attachment Execution through API | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | CMSTP | Credentials in Registry | Network Service Scanning | [Pass the Hash](Lateral_Movement/Pass_the_Hash.md) | Data from Information Repositories | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | -| Spearphishing Link | Execution through Module Load | [BITS Jobs](Execution/Bitsadmin.md) | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Code Signing | Exploitation for Credential Access | Network Share Discovery | Pass the Ticket Data from Local System | Exfiltration Over Command and Control Channel |Data Encoding | | +| Spearphishing Attachment | Execution through API | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | CMSTP | Credentials in Registry | Network Service Scanning | [Pass the Hash](Lateral_Movement/Pass_the_Hash.md) | Data from Information Repositories | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| Spearphishing Link | Execution through Module Load | [BITS Jobs](Execution/Bitsadmin.md) | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Code Signing | Exploitation for Credential Access | Network Share Discovery | Pass the Ticket | Data from Local System | Exfiltration Over Command and Control Channel |Data Encoding | | | Spearphishing via Service | Exploitation for Client Execution | Bootkit |DLL Search Order Hijacking | Component Firmware | Forced Authentication | Password Policy Discovery | [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | Supply Chain Compromise | Graphical User Interface | [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation for Privilege Escalation | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Hooking | Peripheral Device Discovery | Remote File Copy | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | |Trusted Relationship | [InstallUtil](Execution/InstallUtil.md) | [Change Default File Association](Persistence/Change_Default_File_Association.md) | Extra Window Memory Injection | Control Panel Items | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote Services | Email Collection | Scheduled Transfer | Fallback Channels | | Valid Accounts | LSASS Driver | Component Firmware | File System Permissions Weakness | DCShadow | Kerberoasting | Process Discovery | Replication Through Removable Media | [Input Capture](Collection/Input_Capture.md) | | Multi-Stage Channels | | | [Mshta](Execution/Mshta.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Hooking | DLL Search Order Hijacking | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Shared Webroot | Man in the Browser | | Multi-hop Proxy | -| |[PowerShell](Execution/PowerShell.md) | [Create Account](Credential_Access/Create_Account.md) | Image File Execution Options Injection | DLL Side-Loading | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) Taint Shared Content | Screen Capture | | Multiband Communication | +| |[PowerShell](Execution/PowerShell.md) | [Create Account](Credential_Access/Create_Account.md) | Image File Execution Options Injection | DLL Side-Loading | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Taint Shared Content | Screen Capture | | Multiband Communication | | |[Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | DLL Search Order Hijacking | [New Service](Persistence/New_Service.md) | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Password Filter DLL | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Third-party Software | Video Capture | | Multilayer Encryption | | |[Regsvr32](Execution/Regsvr32.md) | External Remote Services | Path Interception | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Private Keys](Credential_Access/Private_Keys.md) | [System Information Discovery](Discovery/System_Information_Discovery.md) | [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md) | | | Remote Access Tools | | |[Rundll32](Execution/rundll32.md) | File System Permissions Weakness | Port Monitors | Exploitation for Defense Evasion | Replication Through Removable Media | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | | | Remote File Copy | | -| |[Scheduled Task](Persistence/Scheduled_Task.md) | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | [Process Injection](Privilege_Escalation/Process_Injection.md) | Extra Window Memory Injection | Two-Factor Authentication Interception | System Network Connections Discovery | | | | | Standard Application Layer Protocol | +| |[Scheduled Task](Persistence/Scheduled_Task.md) | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | [Process Injection](Privilege_Escalation/Process_Injection.md) | Extra Window Memory Injection | Two-Factor Authentication Interception | System Network Connections Discovery | | | | Standard Application Layer Protocol | | | Scripting | Hooking | SID-History Injection | [File Deletion](Defense_Evasion/File_Deletion.md) | | [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) | | | | Standard Cryptographic Protocol| | |Service Execution | Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | File System Logical Offsets | | [System Service Discovery](Discovery/System_Service_Discovery.md) | | | | Standard Non-Application Layer Protocol| | |Signed Binary Proxy Execution | Image File Execution Options Injection | Service Registry Permissions Weakness | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | | [System Time Discovery](Discovery/System_Time_Discovery.md) | | | | Uncommonly Used Port| @@ -26,7 +26,7 @@ | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | Modify Existing Service | | Indicator Removal from Tools | | | | | | | | | User Execution | [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) | | | | | | | | | [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md) | [New Service](Persistence/New_Service.md) | |Indirect Command Execution | | | | | | | -| | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | Office Application Startup](Persistence/Office_Application_Startup.md) | |Install Root Certificate | | | | | | | +| | [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md) | [Office Application Startup](Persistence/Office_Application_Startup.md) | |Install Root Certificate | | | | | | | | | | Path Interception | |[InstallUtil](Execution/InstallUtil.md) | | | | | | | | | | Port Monitors | |Masquerading | | | | | | | | | | Redundant Access | |Modify Registry | | | | | | |